DNSTrap

A DNSTrap is simply a DNS (Domain Name System) entry that gets triggered whenever someone performs a lookup on a service that uses a DNSTrap domain name. Below is an example and some use cases.

Here’s a unique hostname: ndali5xta7jv8gcquo10yefpe.watchpointdata.com

    • Include the DNSTrap in a PTR entry for dark IP space of your internal network. This will help you quickly determine if someone is walking your internal DNS without configuring DNS logging and monitoring.
    • Setup an A record and PTR that points to the public ip of the DNSTrap. A record and PTR record is not required but is recommended. Hackers will often browse PTR records as a way to avoid DNS logging and monitoring.
    • Setup a CNAME that points to the DNSTrap. Pick a name that isn’t an existing resource yet would still be enticing for a hacker.
    • Create batch job to append the DNS entry to bash_history. Something like ‘ssh cname.mydomain.com’. That way if the account is ever compromised, you could be alerted to this via bash_history!
    • On Windows, create a task that appends the DNSTrap to the remote desktop history list http://woshub.com/how-to-clear-rdp-connections-history/
    • Add it to Putty’s saved session list
    • Put it in your favorites list
    • DNS is used with the DBTrap
    • Place in a .bash_history, or .ssh/config, or ~/servers.txt
    • The list goes on and on…

For additional recommended reading, please visit our Need to Know page.